Tag Archives: Trojan

Wikipedia defines a digital certificate as ‘an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.’

In the case of software, it is used to ensure that the software is what it claims. Operating Systems use digital certificates to make sure that an application that is being installed is valid. But what if the digital certificate is obtained by giving fake information?

There have been cases in the past were malware authors used stolen digital certificates for their rogue apps. But according to a report from Kaspersky, a group of Brazilian Trojan authors was able to obtain genuine certificates from Comodo by using fake data.

The authors used a fake company name gastecnology.org for obtaining the certificate. As shown in the Securelist blog, a simple DNS lookup of that particular domain name gives use some clues as to the veracity of that company.

Firstly, the email address used to register the account is a free Yahoo Mail account and secondly, the phone number as well as the address provided was fake.

After obtaining the digital certificate, the malware authors used an extensive email campaign to spread the malware. The certificate has been revoked since then and the application is now flagged as malware.

Although the certificate was revoked, the big question here is why the certificate was allowed in the first place. Since digital certificate plays an integral part in verifying the validity of an application, signing an application should be only done after verifying the submitted data which was not the case here. Hopefully certification authorities will be more careful after this incident.

Russian security firm Dr.Web has identified a new Trojan named BackDoor.Wirenet.1 which runs on both Linux as well as Mac OS X. This is the first ever cross platform Trojan that has been discovered to affect both of the aforementioned operating systems.

At the moment, a lot of information is not available on this malware. But the research is going on and it is said to steal passwords from all of the popular browsers such as Safari, Chrome, Opera and Chromium. It also steals passwords from applications such as Thunderbird, SeaMonkey and Pidgin.

According to Dr.Web, when executed, the Trojan copies itself to the user’s home directory – that is % home%/WIFIADAPT.app.app in MAC OS X and ~/WIFIADAPT in Linux.

Cross platform Trojans are not rare. Trojans that affect Windows and Macs have been identified in the past. A recently discovered Trojan used to check which Operating System the affected user was running and downloaded the payload accordingly. Another one was discovered in May that used unpatched Java vulnerability to open backdoors in Windows and Mac. But as I mentioned before, this is the first time that a cross platform Trojan affecting Mac and Linux has been discovered. We will be updating this article as more details are released.

Mac OS X has been devoid of any large scale viruses and Trojans for a long time now. However, of late as the popularity of Mac has grown, virus creators have started targeting the OS with new viruses. This is evident with the number of viruses and Trojans which are being written for Mac. Take for example the Fake Mac Defender Anti-Virus (removal instructions).

A recent investigation by a security group has found out that a new virus called Flashback has been infecting nearly 600,000 Macs globally. The latest variation of this virus has been targeting an unpatched Java vulnerability in Mac based PCs. The OSX Flashback Trojan connects to a remote server and downloads instructions and payload. Once the payload has been downloaded the malware will modify webpages in the web browser and try to collect personal and other information and send it back to their servers.

If you are a Mac user, the first thing you should do is apply the new patch supplied by Apple that patches this vulnerability. However, there is a chance that you might have been already infected by the Trojan.

F-secure has put up some detailed instructions on their website to find out whether you are infected by the Flashback Trojan for Mac along with instructions to remove the OSX Flashback Trojan. You can visit this page to find instructions for removing Flashback Trojan and remove it from your system.

The detection and removal instructions are targeted towards advanced users so you might want to have someone familiar with Terminal taking a look at it for you.

Also, don’t forget to apply the latest update patch supplied by Apple. To do that, open the main system menu on your Mac by clicking on the “Apple icon” and click on the item “Software update”. Once the software update has checked for updates, apply any new patch/Java update that is available for your system.

We’ll try and post more simpler detection and removal instructions for this shortly.

News of Duqu- a large-scale trojan attack surfaced over the Internet, last week. The impact of Duqu measures up to the likes of Stuxnet, as it attacks mission critical systems. Duqu was discovered by Symantec, which claimed that it had code similar to the Stuxnet trojan. This malware has raised concern in the world of security as it has been devised to raise mayhem in industrial fields, just like Stuxnet. The primary targets of Duqu are oil refineries, power plants and pipeline systems.
Duqu seems to have a very similar scare-factor as Stuxnet because it attacks critical industries. Although, it is not related to Stuxnet in any way, the complicated nature of Duqu makes it look like a well-funded attack, probably by a government. The first piece of evidence in Duqu was found at Web Werks, which is a web-hosting company based in Mumbai. The Department of Information Technology in India received a tip from Symantec, and the Indian Computer Emergency Response Team visited Web Werks offices. They seized two hard-drives with information of the trojan. Apparently, the hosting at Web Werks was used to run their command-and-control center. However, the complicated nature of the trojan makes it hard for a quick analysis.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer. Initial analysis of this threat has shown that it is related closely to the W32.Stuxnet worm from 2010.

Although the affected system list does not include Windows 7, it includes all possible Windows versions before Windows 7 all the way to Windows 95. However, you may be surprised to see that the Symnatec page on Duqu lists it as a low severity.

Web Werks has failed to track down the dubious customer who owned the h0sting account and the Indian Department of Information Technology is yet to unearth the mysteries contained in the seized drives. A second command-and-control center has been located in Belgium, recently.

In the meanwhile, CrySys laboratories in Hungary got hold of an installer for Duqu and claims that it exploits an unknown vulnerability in the Windows kernel. The attack spreads through a .doc (word document) file and is being distributed though social engineering. The safest way to protect against the worm is to follow email best practices and to steer clear of anything that looks fishy, especially dubious word documents.

According to security researchers at F-Secure, a new variant of an existing Trojan Horse posing as a legitimate Flash Player installer (named Flashback.C by F-Secure) is designed to disable updates to the default Mac OS X anti- malware protection system, potentially leaving the system open to the manual installation of other malware without any system warnings.

A Trojan horse works by fooling you into running it; in this case, Flashback disguises itself as an installer package for Flash Player. This Trojan horse is potentially capable of disabling XProtectUpdater-auto-update component of Apple’s built-in XProtect anti-malware application by overwriting the system binary that checks for updates.

Once installed, Flashback.C first checks to see if the user is running “Little Snitch,” a firewall program that could alert the user of its actions. If it is found to be installed, the trojan deletes itself. If it doesn’t find Little Snitch, the malware then tries to connect to a remote host in order to obtain other installation files and configurations. F-Secure notes that “the remote host is up but it does not [yet] push anything.” If and when the site becomes active, it could deliver a payload that the trojan could use to disable the system’s auto-updater, using Safari or Firefox to deliver the malicious code via an LSEnvironment variable that loads when the browser restarts. The local system would be unable to obtain the latest anti-malware definitions and could subsequently be infected by other malicious programs the user installs without seeing the warnings that Mac OS X’s XProtect feature is designed to present.

If you fear that you might have been infected, you can see removal instructions given by F-Secure here. Also, always download software from original company websites to remain protected from Trojan horses like this. Read our tips to keep your computer Safe and Secure here.

Today, I received a letter from Emsisoft that explained how a well known group of hackers in Germany discovered and tested a trojan program that’s used by the German Federal government to spy on its citizens. These white hat hackers, known as the Computer Chaos Club, determined that the “R2D2″ or “State Trojan” is not only able to spy on an infected target computer, it’s also able to download more software and remotely control the target computer. So far, it’s designed to work only on Windows based PCs.

Back in 2008, Computerworld reported that WikiLeaks documents provided information that Germany had hired a company named “Digitask” to create a trojan spy program for them. A few days ago, ZDnet was confirming that a few of the German State agencies have admitted to using this trojan in their investigations. Naturally, these were “legal” uses of the trojan, and required a judge’s signature.

The Electronic Frontier Foundation was curious to see if the U.S. Government had similar trojans, and in 2008, they submitted a FOIA request. Unlike many other attempts to get information released, the EFF received documents that revealed how the FBI was investigating ways to intercept Skype conversations. I think we can assume that since then, the U.S. has done more than just “investigate” how to spy on Skype.

What does all of this mean to the average Windows user? It means that you not only have to worry about threats from the usual hackers after your money, you also have to worry about “Big Brother” trojans from your own government. Fortunately, companies like Emsisoft, F-Secure and Sophos have assured us that they intend to search and elimate government trojans as well as the typical spyware we’re used to seeing.

For those of you who are using Macintosh or Linux instead of Windows, feel free to stick out your tongue and say “na na na na na na“. You don’t have to worry about these trojans … for now.

The first piece of malware for Android 2.3 ‘Gingerbread’ has been spotted. Working alongside NetQin – a mobile security firm, security researcher Xuxian Jiang has located and detailed the inner workings of GingerMaster, the first piece of malware that attacks Android Gingerbread.

Using Gingerbreak, which is the the latest exploit for gaining root access to Gingerbread, the malware gathers information about the infected device and sends it to a remote server. In addition to exfiltrating the IMEI, phone number and SIM serial, GingerMaster creates a backdoor root shell, stored in the system partition in an attempt to survive after software upgrades, to allow for an attacker to access the device at will.

The malware also acts as a trojan horse. Registering on a remote server, the application will sit and wait for instructions on a ‘command and control’ channel. This allows for an attacker to remotely trigger events, such as downloading and installing more malware without the user knowing or reading personal information saved on the phone.

With more and more malware for Android popping up, looking to mobile security software as a means to protect your device is a good choice, but using more common sense with downloading applications from official stores and understanding the risks of giving permissions to apps, is a better way to protect yourself from these threats. While both Google and Apple are looking for ways to implement a “kill switch” for unauthorized devices or applications, this is a reactive measure to an inherent problem with all security implementations – they rely on the user.

As if the variousOsama Bin Laden video scams on Facebook were not enough, a new malware is being spread through emails now. If you receive any emails with an attachment named Fotos_Osama_Bin_Laden.zip or something similar, DO NOT OPEN IT.

According to F-Secure Labs, an email is doing the rounds of the internet with an attachment named Fotos_Osama_Bin_Laden.zip, this could be named differently too as Photos_Osama_Bin_Laden.zip. The file contains an executable named Fotos_Osama_Bin_Laden.exe.

The executable does not contain any photos of Osama Bin Laden but is infected with the Trojan-Downloader:W32/Banload.BKHJ, which is a banking Trojan. It installs on the system and will start to monitor your online banking sessions via a Browse Helper Object (BHO) and try to redirect your payments to wrong accounts.

If you have downloaded or clicked on the attachment run an free online scanner or a anti-malware after disabling access to the internet. You might also want to run scans using your Antivirus. If you don’t have one, head over to our Free Antivirus section to find one.

The new Trojan is playing on human curiosity generated by the death of Osama Bin Laden. There are actually no leaked photos or videos of the event. As an advice, please don’t click on any links which tell you that you can watch a censored video or pictures of Osama Bin Laden’s death.

You will not be able to watch any videos or pictures unless the US government releases them. So hold your horses until then and don’t spread the virus of become affected by it.

If you are someone who does not like to install Antivirus on your PC or just want to check whether your current Antivirus is really working well, a new tool from Microsoft will come in handy.

Microsoft Safety Scanner is a free security software from Microsoft which provides users with on-demand scanning while allowing users to remove viruses, spywares, Trojans and another malicious software from their PC. Safety Scanner works along with your current Antivirus software, so you don’t have to uninstall your current AV protection to use it.

One of the bad things about Microsoft Safety Scanner is that it expires every 10 days. Users will have to download a new version to scan your system every ten days which could be annoying considering that it is around 70MB in size. A simple definition update should be added so that users don’t have to download new versions every 10 days.

Users must also note that unlike traditional Antivirus systems the Safety Scanner does not provide continuous protection and should not be used as a replacement for traditional Antivirus software. Microsoft Security Scanner should only be used to additionally scan your PC. If you intend to replace your current Antivirus you might check out our Free Antivirus section to find a suitable alternative.

Additionally, you may also want to read the following articles related to Online Security:

Back in 2000, a software engineer, Patrick Kolla, created the basis of a tool for dealing with spyware. This tool, later named Spybot Search and Destroy, was one of the first effective freeware apps for the removal of many kinds of adware and malware that were infecting PCs. Since then, millions of people all over the world have used it at one time or another. To this day, many people consider it an essential part of their PC defenses.

Patrick’s work on Spybot hasn’t stopped, and it’s been updated several times over the years. Today Spybot-S&D can repair or remove:

Bad registry keys

Winsock LSPs

ActiveX objects

Browser Hijackers

BHOs (Browser Helper Objects)

Tracking cookies

Trackerware

Homepage hijackers

Keyloggers

Trojans

Adware

Spyware

Rootkits

other kinds of malware

Here’s a screenshot of Spybot as it scanned my laptop yesterday.

Typically, I use Spybot as a secondary scanner, to catch things that my antivirus and other defenses have missed. However, the TeaTimer portion of Spybot can be installed to watch over your computer continuously in the background.

Another great feature of Spybot, is it’s ability to add immunizationsagainst some common weaknesses in Internet Explorer and other areas of your PC.

Spybot can be updated every time you use it, by clicking the update icon. Always check for new updates before running a scan.

I prefer to have most of the programs on my PC, set up as portable applications. I was happy to find that Spybot is also available as a portable app.

Spybot is one of those apps that have proved themselves over years and years of use. It’s always been free, and it’s probably saved millions of people headaches from re-installing their OS after an infection. It deserves to be highly recommended.